Information Privacy Protection under Anti-Money Laundering Legislation: An Empirical Study in Taiwan

Abstract

The newly added requirement in Taiwan’s Money Laundering Control Act to fully authenticate customers’ identity by regulated entities, particularly to reveal substantial beneficial owners, entails greater disclosure of customers’ private information. How to strike the balance between such disclosure and information privacy protection has not been mentioned yet in Taiwan. The goal of this research paper is to identify support measures, consisting of criteria, sub-criteria, and alternatives, for information privacy protection for future change. A questionnaire was developed through applying the modified Delphi method. This study also applied the analytic hierarchy process to the questionnaire to prioritize the importance of different criteria and sub-criteria and find the optimal alternative. The search results indicated that the criteria were (in order of importance) internal control in financial institutions, prior surveillance mechanisms, informed consent, and safe-harbor immunity. Further examination of the details for the sub-criteria indicated that the establishment of an external independent supervising mechanism and the adoption of a personal information impact assessment are increasingly prioritized for implementation. Moreover, Alternative 2 (“Public and private entities should implement criteria and sub-criteria simultaneously”) weighed 0.62 more in terms of importance compared with Alternative 1 (“Public entities should implement criteria and sub-criteria first”), which weighed 0.38.

1. Introduction

According to Wang [1], Taiwan’s modified Money Laundering Control Act, passed at the end of 2016, was a crucial legislative adjustment before it received a third-round evaluation by the Asia/Pacific Group on Money Laundering. The newly modified Act also raises serious concerns about the adequacy of information privacy protection, especially considering the increasing attention paid to money laundering.

The greatest concern lies in the anti-money laundering law requiring designated entities to perform the KYC (know your customer) procedure, also called CDD (customer due diligence), which constitutes a potential invasion of information privacy. Under the KYC or CDD procedural requirements, obligated entities must authenticate a customer’s identity to reveal the substantial beneficial owner and financial source; analyze the customer’s transactional model and identify violations; and report any suspicious behavior to government authorities. In short, obligated entities should aim to predict customers’ behaviors and surveil risks for illegality [2]. To fulfill their legal requirement, obligated entities ought to acquire much customer information to vindicate the legality of transactions [3].

The above-mentioned legal requirement directly ran into the trend in Taiwan to highly value information privacy protection. Article 5 in Taiwan’s Personal Data Protection Act declared the legitimate and reasonable connections between the invasion of information privacy and the purpose of collection. Therefore, to justify such connections regarding unprecedented personal information collection and avoid potential endowed-power abuse, the balance between anti-money laundering with personal information privacy protection thus hinges upon identifying support measures for such protection. This study used the modified Delphi method (MDM) combined with the analytic hierarchy process (AHP) to design and interpret a questionnaire. The questionnaire was intended to generate suggestions for implementing support measures for information privacy protection in Taiwan. The questionnaire was constructed based on expert opinion and a literature review of European Union (EU) and US studies. The MDM was applied to identify support measures that enhance information privacy protection, and the AHP was used to prioritize criteria or sub-criteria and determine the best alternative that resolves the dispute. EU literature was chosen because Taiwan’s legal structure for information privacy protection is similar to that of the EU. US literature was chosen because both the judicial branches of Taiwan and the US have yet to recognize information privacy as a fundamental human right [4].

The contribution of this study is its prescription of adequate support measures for information privacy protection in Taiwan under the pressure of KYC (or CDD) procedural requirements in Taiwan’s anti-money laundering legislation. The authors conducted this multidisciplinary study to aid Taiwanese policymakers in making policy adjustments. Additionally, generally speaking, the current notion of anti-money laundering has been closely associated with terrorist financing prevention. Therefore, “anti-money laundering” and similar terms are used in this article to mean some combination of both.

2. Literature Review

Money laundering could be conducted through many channels (e.g., banks and cards [5], hidden corporations [6], or tax evasion in banking sectors [7]), which are regulated entities that are obligated to report suspicious activities. As mentioned, Taiwan currently lacks an appropriate balance between anti-money laundering and personal information privacy protection. To identify potential criteria and sub-criteria for enhancing information privacy protection, this study conducted a literature review of EU and US studies.

2.1. Balancing between Anti-Money Laundering and Personal Information Privacy Protection: Methods Adopted by the EU

Early in 2011, the EU recognized the serious threat to information privacy from money laundering prevention. The Article 29 Working Party, an EU political party, argued that the collection, processing, and use of personal information should be commensurate with its purpose. They also argued that active, as opposed to merely passive, measures of protecting information privacy should be deployed, such as the establishment of protection policies and the rule of safe harbor in liability limitation as well as information security, supervisory authorities, and impact assessments [8]. Furthermore, instead of unconditionally accepting all recommendations from the Financial Action Task Force on Money Laundering, the directive was to be the outcome of a modified version of such recommendations for information privacy protection. Under the latest (fourth) version of the directive, the EU encourages financial intelligence units in its member states to implement an external, independent, and automatic anonymous matching system to analyze suspicious behavior reported by obligated entities and share information on outcomes with law enforcement, prosecuting authorities, or even other nation-states’ intelligence units. Such a system for sharing integrated information also underscores the increasing technological sophistication in information privacy protection in the EU.

Furthermore, the EU’s restrictive methodology for protecting information privacy, in contrast to that in the United States, has resulted in disputes over the transmission of trans-border information. In an actual case, the US government applied an administrative subpoena, authorized by the Terrorist Finance Tracking Program, on the Society for Worldwide Interbank Financial Telecommunication to access the society’s large database of customer personal information. This US judicial practice attracted much controversy for its inadequate procedural protection of information privacy. The Safe Harbor Principles signed by both parties, in which the US promised to adopt several external independent supervisory mechanisms, finally settled the dispute [9].

The European Data Protection Supervisor, the independent data protection authority laid down in EU regulations, provided several concrete suggestions for counterbalancing the harm to information privacy engendered by the aforementioned 2015 Directive on anti-money laundering measures. These suggestions are as follows (stipulated in the Guidelines on Data Protection in EU Financial Services Regulation [10]):

• Adopt information privacy impact assessments, such as the ISO standard 22307: 2008 Financial Services-Privacy Impact Assessment.
• The requirement that data should be retained for 5 years is capricious and unsubstantiated by solid evidence, and it should be abolished.
• No massive, repetitive, or nonstructural trans-border transmission of personal information shall be allowed, even if it is in the public interest.

2.2. The US Perspective

The US Supreme Court has never recognized personal information privacy as a fundamental human right. Thus, in contrast to those in the EU, US government agencies and law enforcement pay less attention to information privacy protection when combating money laundering. Even though information privacy protection is not emphasized in US anti-money laundering practices, US scholars have underscored the urgency of deploying support measures when enforcing anti-money laundering legislation. A literature review of relevant studies revealed several concrete suggestions, which are listed as follows:

• Obligated entities should earmark personnel and establish an internal institution for information privacy protection.
  De Dios [2] advocated having built-in internal institutions or personnel in obligated entities for resolving information privacy-related disputes, particularly disputes in trans-border information transmission arising from mismatches between a country’s information privacy protection measures and those of a foreign jurisdiction.
• The reporting of suspicious activities should be made immune to certain liabilities through a safe-harbor mechanism, albeit with certain limitations.
  Giuliano [11] noted that under the United States’ anti-money laundering legal infrastructure, reports of non-malicious anti-money laundering are immune from potential tort liability. Furthermore, Olejar [12] predicted that such safe harbor for non-malicious anti-money laundering reporting would lead to a flood of preventive reports into the system. Such reports cause no harm, whereas not filing such reports can lead to legal threats in the form of civil liability, criminal penalties, and/or follow-up administrative supervision. Surette [13] observed that, in a few cases, the US court even required the filing of reports that were based on reasonable good-faith suspicion.
• Prior judicial supervision mechanisms should be employed before law enforcement acquires personal information.
  Analyzing the Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept, and Obstruct Terrorism Act of 2001, Gouvin [14] argued that law enforcement can acquire all financial information pertinent to a specific person through the Financial Crimes Enforcement Network. This stipulation de facto treats such acquisition as part of the obligation to report suspicious money laundering activities. This type of information sharing can be easily attained through administrative subpoenas in the US as long as the targeted information is reasonably related to the alleged criminal investigation. This weakened procedural protection of information privacy in the US, unlike constitutional search and/or seizure, is unlikely to survive considering increasing concerns regarding information privacy protection among members of society. Therefore, Gouvin believed that some external independent force should exist to counterbalance the harm caused by such administrative subpoenas. Lee [15] also observed that except in the case of a real threat of an imminent terrorist attack, the administrative subpoena measure for investigating anti-money laundering raises serious concerns about the violation of the principle that ordinary search and seizure must be performed with probable cause as stipulated in the Fourth Amendment of the US Constitution.
• Informed consent should be acquired from the original source of personal information.
  Lacey and George [16] suggested that informed consent can also ameliorate the harm caused to information privacy protection by anti-money laundering legislation. They proposed that obligated entities should request their clients provide written informed consent upon being notified of the possible acquisition of their personal information for anti-money laundering, considering the obligated entity’s duty to file reports on suspicious activities. Lacey and George further stated that the notification of such informed consent should include a clear definition and lucid explanation (with accompanying illustrations if necessary) of the suspicious behavior.
• The attorney and accountant should have their report-filing duty restrained or be excluded from the definition of obligated entities in anti-money laundering activities.
  Olejar [12] found that even the Financial Action Task Force on Money Laundering intended to extend attorneys and accountants as obligated entities because of their gatekeeper function, which was an action that would have been met with tremendous societal opposition. Tsai [17] also mentioned that supporters of excluding attorneys and accountants as obligated entities believe that such professionals are likely to make the best judgments and be self-disciplined. Furthermore, the exclusion of attorneys and accountants mitigates the potential for direct conflict between the obligated report-filing duty required by anti-money laundering legislation and the potential attorney (accountant)–client privilege originating from the litigation procedural aspect. Lacey and George [16] indicated that attorneys in the EU are immune from report-filing obligations during the process of building a relationship with their clients as well as in the process of judicial litigation.

Based on the literature review, this study’s proposed analytic hierarchy structure includes five criteria and 10 sub-criteria, as listed in

Table 1. Criteria to be considered in the analytic hierarchy structure.

No.	Criteria	Illustration
A	Internal control in financial institutions	The Guidelines on Data Protection in EU Financial Services Regulation exemplifies the ISO standard 22307:2008 Financial Services-Privacy Impact Assessment.
B	Safe-harbor immunity limitation	The reporting of suspicious activities should be made immune to certain liabilities through a safe-harbor mechanism, albeit with certain limitations.
C	Prior surveillance mechanism	The practice of giving administrative subpoenas is unlikely to survive the constitutional scrutiny considering increasing concerns regarding information privacy protection among members of society.
D	Informed consent	Informed consent can also ameliorate the harm caused to information privacy protection by anti-money laundering legislation.
E	Exclusion of attorneys and accountants	Professionals are likely to make the best judgments and be self-disciplined. The exclusion of attorneys and accountants mitigates the potential for direct conflict between the obligated report-filing duty required by anti-money laundering legislation and potential attorney (accountant)–client privilege.

and

Table 2. Sub-criteria to be considered in the analytic hierarchy structure.

Sub-Criteria	Reference
(A1) Adopting personal information impact assessments	Guidelines on Data Protection in EU Financial Services Regulation.
(A2) Incorporating internal institutions or personnel	De Dios [2]
(B1) No immunity for non-malicious anti-money laundering reporting	Olejar [12]
(B2) Filing reports to be based on reasonable good-faith suspicion	Surette [13]
(C1) External independent force for supervision	Gouvin [14]
(C2) Warrant with probable cause for government acquisition	Lee [15]
(D1) Informed consent to permanent limitation of information privacy	Lacey and George [16]
(D2) Informed consent to temporary limitation of information privacy	Guidelines on Data Protection in EU Financial Services Regulation.
(E1) Professionals are likely to make the best judgments and be self-disciplined	Tsai [17]
(E2) Immunity in the process of building a relationship with clients and the process of judicial litigation	Lacey and George [16]

.

3. Research Methodology

To strike an appropriate balance of interests between anti-money laundering and personal information privacy protection, support measures are critical and must thus be identified. The modified Delphi method (MDM) uses expert knowledge as foundation in the research field and goes through the feedback of repeated questionnaire to systematize complex topics to reach a consensus. AHP also systematizes expert’s opinions on complex issues. Both MDM and AHP use samples of expert opinion as their foundation. Therefore, to achieve the goal of this research, this paper utilizes both research methods of MDM and AHP to carry out the study. Hence, this study aimed to find support measures that are appropriate to the Taiwanese context; it combined the MDM with the AHP to design and interpret a questionnaire.

3.1. MDM

Jointly created in 1960 by Dalkey and Helmer, the Delphi method involves anonymous expert group decisions through the process of brainstorming with the aim of structuring a questionnaire that is answered by experts. Murry and Hammons [18] formulated the MDM in their joint study, which refined the original method of anonymous expert group decisions. They believed that a literature review that is conducted to acquire indicators for a questionnaire, where these indicators are subsequently examined by several field experts, adequately substitutes for the tedious process of open discussion by experts; furthermore, this modification was thought to allow experts to better focus on the research subject and thus answer the questionnaire more efficiently. This MDM also allows for a more efficient construction of the questionnaire using prior academic results and an expert review, thereby determining sensible indicators and alternatives. Thus, the MDM has been widely adopted by the researchers.

3.2. AHP

This study adopted the AHP to construct a hierarchy and design an expert questionnaire to acquire subjective weights for each criterion, sub-criterion, and the best alternative. The AHP can compensate for the drawbacks of neglecting individual diverse variations in an equal weight methodology. Saaty [19] formulated the AHP theory. The AHP is an analytic operation that is qualitative, quantitative, systematic, and hierarchical in nature. It was designed to simplify the question of inquiry and construct a hierarchically layered structure of different levels of criteria that are integral to decision-making. Combined with weighted values, the AHP can be applied to find the best alternative from many choices, or it can serve be used to construct a prioritized pecking order and for resource planning, allocation, and combined investments. Saaty [20] compiled the theory, practice, and cases of the methodology into a book and further built the AHP into a type of multi-criteria decision-making theoretical model [21,22]. The hierarchical layer structure of the AHP can be defined by different levels of criteria, sub-criteria, and alternatives, and criteria of the same level are independent of each other. The researcher, through applying the AHP, systemizes the complicated question of inquiry through levels of criteria and sub-criteria and then performs pairwise comparisons within the same level. When conducting pairwise comparisons, the researcher substitutes the absolute scale with the ratio scale to provide some alternatives to the decision-maker as well as reduce risk in decision-making [21].

Recent research has applied the AHP to a variety of practical fields. Lee et al. [23] analyzed consumer behavior and prioritized consumer selection criteria (e.g., the product, sales personnel, physical store characteristics, and existing promotions) when browsing duty-free stores. The purpose of the research was to aid duty-free store managers in their development of sales strategies. Emete and Gazibery [24] used the AHP for their analysis and concluded that residents of Kyrenia and Nicosia in Cyprus prioritized necessary improvements and treatment for their own city. Cervelló-Royo et al. [25] evaluated the developing tendencies of residential trading and industry. They first analyzed the available data between 1970 and 2015, and based upon the AHP, collected expert evaluations to predict trends in residential trading and industry. Specifically, the variations in population, social environments, and architectural quality, which had been included in the AHP as criteria, implied people’s broadened recognition of living environments and investment portfolios in 2050. Racioppi et al. [26] applied the AHP to find the best alternative for improving tourist accommodation facilities and reaching the goal of energy efficiency and reduced energy consumption. To find the best alternative, total weights for every alternative based upon its criteria for the benefit hierarchy were counted respectively, as were the total weights for every alternative based upon its criteria for the cost (risk) hierarchy. Then, for every alternative, its own benefits’ weight was divided by the weights of its cost (risk) to reveal the best alternative.

In sum, the main applications of the AHP are in dealing with uncertain situations and multi-criteria decision-making. Similar applications have been found in prioritized pecking orders, resource planning, allocation, and investment combinations. The following steps detail the formula and its computational procedure.

Step 1. Construction of the hierarchical layer structure

Figure 1 presents this study’s hierarchical layer structure following the theory of the MDM. The structure is divided into three layers comprising namely four criteria, eight sub-criteria, and two alternatives.

Step 2. Establishment of a pairwise comparison matrix

Once the hierarchical layer structure is constructed, the criteria in the same layer are compared pairwise based on the rating scales in Figure 1. Following the pairwise comparison, the matrix is established. This study calculated the geometric mean to integrate all expert-evaluation outcomes.

The establishment of the pairwise comparison matrix A is as follows. Let C₁, C₂, …, C_n denote the set of elements, and let a_ij represent a quantified judgment on a pair of elements (C₁, C_j). The relative importance of two elements is rated using a scale with the values 1, 3, 5, 7, and 9, where 1 is “equally important”, 3 is “slightly more important”, 5 is “significantly more important”, 7 is “demonstrably more important”, and 9 is “absolutely more important”. This yields the following n × n matrix A:

$$A=\left[a_{ij}\right]=\begin{array}{cc}& \begin{array}{cccc}{C}_1& C_2& \cdots & C_{\mathrm{n}}\end{array}\\ \begin{array}{c}{C}_1\\ C_2\\ ⋮\\ C_n\end{array}& \left[\begin{array}{cccc}1& a_{12}& \cdots & a_{1n}\\ 1/a_{12}& 1& \cdots & a_{2n}\\ ⋮& ⋮& \ddots & ⋮\\ 1/a_{1n}& 1/a_{2n}& \cdots & 1\end{array}\right]\end{array}$$

(1)

where a_ij = 1 and a_ji = 1/a_ij, for i, j = 1, 2,…, n. In matrix A, the problem becomes one of assigning a set of numerical weights W₁, W₂, …, W_n to the n elements C₁, C₂, …, C_n that reflect the recorded judgments. If A is a consistency matrix, the relations between weights W_i and judgments a_ij are simply given by W_i/W_j = a_ij (for i, j = 1, 2, …, n) and

$$A=\begin{array}{cc}& \begin{array}{cccc}{C}_1& C_2& \cdots & C_{\mathrm{n}}\end{array}\\ \begin{array}{c}{C}_1\\ C_2\\ ⋮\\ C_n\end{array}& \left[\begin{array}{cccc}{w}_1/w_1& w_1/w_2& \cdots & w_1/w_n\\ w_2/w_1& w_2/w_2& \cdots & w_2/w_n\\ ⋮& ⋮& \ddots & ⋮\\ w_n/w_1& w_n/w_2& \cdots & w_n/w_n\end{array}\right]\end{array}.$$

(2)

Step 3. Maximum eigenvector calculation and weight allocation

Based on the calculation of the pairwise comparison matrix, the eigenvector (which is called the priority vector) can be acquired in correspondence with the maximum eigenvalue. The purpose of the calculation process is to achieve weight allocation.

Saaty [27] suggested that the largest eigenvalue λ_max is

$${\lambda }_{max}={{\displaystyle \sum }}_{i=1}^n{a}_{ij}\frac{W_j}{W_i}.$$

(3)

The eigenvector X can be calculated by solving the following equation:

$$(A-{\lambda }_{max}I)\mathrm{X}=0.$$

(4)

Step 4. Verification of the consistency of the comparison matrix

Saaty [27] proposed utilizing the consistency index (CI) and consistency ratio (CR) to verify the consistency of the comparison matrix. CI and CR are defined as follows:

$$CI=({\lambda }_{max}-n)/(n-1)$$

(5)

$$CR=CI/RI$$

(6)

where RI represents the average CI over numerous random entries of the same order reciprocal matrices. If $CR\le 0.1$, the estimate is accepted; otherwise, a new comparison matrix is requested until $CR\le 0.1$.

4. Applying the Method to Empirical Analysis

As mentioned in Section 3, this research first used the MDM to define criteria, sub-criteria, and alternatives through a literature review and expert confirmation. Subsequently, by inviting experts from industry, academia, and government, the authors solicited their professional expertise to prioritize the criteria, sub-criteria, and the best alternative by having the experts fill in the designed questionnaire. The AHP gave weights to both the criteria and sub-criteria and helped this study determine the best alternative.

4.1. MDM and Questionnaire Dispersion

The first stage of this research was to use the MDM to develop a structural questionnaire. This method was applied to identify criteria and sub-criteria through a literature review combined with experts’ opinion to reach a consensus among the experts’ opinions and also to find the best alternative. The method is characterized by anonymous expert group decisions. Expert consensus can not only substantially decide criteria, sub-criteria, and alternatives but can also confirm their objectivity [28]. According to the aforementioned procedure for building the hierarchical layered structure of the questionnaire, three experts in the professional field of information privacy protection and anti-money laundering were invited to a review discussion. From this discussion, the criteria, sub-criteria, and alternatives were established to help determine appropriate support measures to enhance information privacy protection in Taiwan. The final hierarchical layer structure of the questionnaire is illustrated in Figure 1.

In the second stage of this research, non-probabilistic sampling is conducted, and according to the characteristics of judgement sampling, we determined that this is the most representative method. The authors chose, as questionnaire respondents, experts from industry, academia, and government in fields related to information privacy protection and anti-money laundering. This expert selection process was based on the four characteristics (professional experience, judgment, authority, and willingness to cooperate) proposed by Moeller and Shafer [29] that a qualified expert should have. Furthermore, the number size of experts should be small. Murry and Hammons [18] believed that the no more than 30 experts should be involved in executions of the Delphi method, because efficiency is impeded if too many experts are involved. In this study, the experts comprised a senior employee of the National Development Council, experienced attorneys, a senior in-house council member of a financial institution, industry professionals, and professors. In addition to the questionnaire, supplementary in-depth interviews with designated experts were employed to help determine potential support measures.

The questionnaire part of the research was administered between May 2019 and August 2019, and it can be divided into two parts. The first part involved sending the questionnaire by e-mail to the designated experts, and the second part involved the in-depth interviews with the experts as a supplementary measure to confirm the accuracy of the questionnaire content.

Table 3. Ratios of sent/collected questionnaires on the importance of the criteria and sub-criteria.

Category of Experts	First Round		Second Round		Third Round
	E-Mailed	Collected	E-Mailed	Collected	E-Mailed	Collected
Industry	6	5	6	4	6	2
Government	3	1	3	1	3	1
Academia	4	4	4	3	4	3
Total	13	10	13	8	13	6
Ratio of sent/collected questionnaires	77%		62%		46%

presents the data on the questionnaire collection rates.

4.2. Importance and Consistency Checks of the Criteria and Sub-Criteria

Faherty [30] stated that in the MDM, an interquartile range that is ≤ 0.6 for an indicator would represent high consistency between experts’ opinions on that indicator. Conversely, when an interquartile range which is >1 for an indicator, the calculated outcome vindicates insufficient consistency between experts’ opinions on that indicator. Therefore, in the present study, a criterion or sub-criterion was considered to have passed the importance and consistency checks if it had a high-consistency interquartile range and an importance greater than 4.

Table 4. Integration of interquartile ranges and importance of categorized criteria and sub-criteria based on the modified Delphi method (MDM).

	First Round			Second Round			Third Round
Criteria or Sub-Criteria	Importance Average	Interquartile Ranges	Result	Importance Average	Interquartile Ranges	Result	Importance Average	Interquartile Ranges	Result
A	5.79	0.35	p
B	5.09	0.4	p
C	5.73	0.35	p
D	5.35	0.7	O	5.30	0.55	p
E	3.56	1.05	D
A1	5.47	0.7	O	5.21	0.5	p
A2	5.15	1.05	O	5.27	0.7	O	5.27	0.35	p
B1	4.52	0.7	O	4.62	0.4	p
B2	4.84	0.7	O	4.86	0.4	p
C1	5.47	0.7	O	5.46	0.4	p
C2	4.77	1.4	O	4.78	0.5	p
D1	4.14	0.7	O	4.52	0.5	p
D2	4.52	1.05	O	4.65	0.5	p
E1	3.37	1.05	D
E2	4.20	1.05	O	4.12	1.05	O	3.89	1.05	D

p = passed, O = observed, and D = deleted.

presents the integration of interquartile ranges and importance of the categorized criteria and sub-criteria.

Subsequently, the criteria and sub-criteria that passed the checks were used as candidates for support measures for this study’s final suggestions. The following step was applying the AHP to decide the comparative weights of the criteria and sub-criteria for information privacy protection under the current trend of anti-money laundering, including suggesting the best alternative. Saaty’s [20] formula for the AHP was used in the analysis to infer the weights for the criteria and sub-criteria and to find the best alternative.

4.3. Comparative Weights of the Criteria, Sub-Criteria, and Alternatives through Applying the AHP

Before this study applied the AHP, the data of qualified questionnaires were tested for consistency. Their CR was less or equal to 0.1 and thus passed the consistency test. Thus, this study input these data into the expert choice software, which executed the formula of the AHP, and it determined the comparative weights between the criteria and sub-criteria, as shown in

Table 5. Comparative weights between the criteria and sub-criteria.

Criteria	W/p	Sub-Criteria	W/p	Priority
(A) Internal control in financial institutions	0.263(1)	(A1) Adopting personal information impact assessments	0.141	1
		(A2) Incorporating internal institutions or personnel	0.133	3
(B) Safe-harbor immunity limitation	0.232(4)	(B1) No immunity for non-malicious anti-money laundering reporting	0.116	6
		(B2) Filing of reports should be based on reasonable good-faith suspicion	0.124	4
(C) Prior surveillance mechanism	0.261(2)	(C1) External independent force for supervision	0.141	1
		(C2) Warrant with probable cause for government acquisition	0.123	5
(D) Informed consent	0.243(3)	(D1) Informed consent to permanent limitation of information privacy	0.106	7
		(D2) Informed consent to temporary limitation of information privacy	0.116	6

W = weight, p = priority.

.

As indicated in Table 5, based on the experts’ opinions, the qualified criteria in order of priority were as follows: internal control in financial institutions, prior surveillance mechanisms, informed consent, and safe-harbor immunity limitation. Furthermore, among the sub-criteria, an external independent force for supervision and the adoption of personal information impact assessments were perceived to be the most crucial measures requiring implementation. Finally, after the calculation, the weights of Alternative 2 (“Public and private entities should implement criteria and sub-criteria simultaneously”) and Alternative 1 (“Public entities should implement criteria and sub-criteria first”) were 0.62 and 0.38, respectively.

5. Discussion, Policy Implication, and Conclusions

At present, the government in Taiwan is focused on passing through the evaluation of the Asia/Pacific Group on Money Laundering. As mentioned before, to justify unprecedented personal information collection and avoid potential endowed-power abuse, support measures for information privacy protection are needed in Taiwan. By conducting this empirical study, results reveal that external independent force for supervision and adopting personal information impact assessments are the most important support measures to enhance information privacy protection in Taiwan for both private and public entities. The search results confirmed the assertion of Gouvin [14] to establish an external independent force for supervision. The suggestion of adopting personal information impact assessments in guidelines on data protection in EU financial services regulation has also drawn serious attention. Conversely, Lacey and George [16]’s suggestion which to exclude information privacy protection by informed consent received the least appreciation of experts. Enacting additional requirements in Taiwan’s legal system to protect information privacy is prominent instead of relying on informed consent, avoiding information privacy disputes. Future researchers might consider further investigating what is the real substance of personal information impact assessments and how Taiwan appropriately builds up external independent force for supervision.

Such results implied that regulated entities’ preventive measure (impact assessment) and authorities’ supervision (external independent force) are needed in Taiwan. Therefore, regulated entities and governmental authorities are required to be more cooperative to retain the goal of information privacy protection in wake of anti-money laundering. There are two layers of policy implication. First, study results are in accordance with the current trend of information privacy governance, which emphasizes the joint force between the industry and the government for information privacy protection [31]. In this study, adopting personal information impact assessments in regulated entities indicates the cooperative measure from regulated entities, and establishing an external independent force for supervision represents the cooperative measure from governmental authorities. Second, to increase support measures for information privacy protection will decrease the difficulties to transfer personal information cross-border. The general privacy principle to send personal information outside the jurisdiction is to require that receiving parties come under the same level of information privacy protection. Implementing the above-mentioned support measures will be helpful to convey personal information transnationally, especially to the EU, which requires the stringent protection of information privacy.

This research article might offer some practical value to future legislative change in Taiwan, since there has not yet been any similar quantitative research work designed to resolve the conflict between investigating potential money laundering activities and protecting information privacy. The findings can bolster the justification to adding additional legal requirements to information privacy protection. The limitation to this research paper is the small number of experienced experts and also the difficulty of encouraging them to reveal their personal opinions.